On Thursday 2011-04-28 16:18, Fiedler Roman wrote: >Hello List, > >Is there a significant benefit when checking correct TCP flags in PREROUTING, e.g. with > >Iptables -t nat -A PREROUTING --destination a.b.c.d -p tcp -m tcp --dport 80 --syn -j DNAT --to-destination w.x.y.z It would restrict "NEW" tcp connections to begin with SYN and would not consider translating connections that get picked up after a flush of the CT table, for example. >Before accepting in INPUT rulebase: > >... -m state --state ESTABLISHED -j ACCEPT >... --destination w.x.y.z -p tcp -m tcp --dport 80 --syn -j ACCEPT >... drop/reject with logging -m state should ideally be -m conntrack. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
